Spoofing GPS and getting your own UAV

A couple folks over at the Radionavigation Lab at UT Austin successfully spoofed GPS to take control of a small helicopter drone this weekend. Of course, this attracted the attention of the Department of Homeland security, so you’d better stock up on GPS spoofing equipment while there’s still time.

The DHS, CIA, and US Military have a huge interest in spoofing GPS; Iran stole a drone late last year using the same method. The UT Austin team used only about $1000 worth of equipment to take control of an autonomous drone and pilot it away under unauthorized control. Of course with matters of homeland security, the open-source hacker scene has yet to publish how this spoofing attack was actually done, but here’s a paper covering what is needed to remotely control up to four GPS-guided drones.

While waiting on the details of this build to be made public, feel free add your own insight in the comments as to how this attack was actually performed.

Post navigation

89 thoughts on “Spoofing GPS and getting your own UAV”

I’m thinking a USRP with specialized software…
GPS is basically just a satellite with a radio signal.

If you have over power that signal, you should be able to tell it that its somewhere else.. and, If you can tell the drone its somewhere else, assuming you know the math and other shit involved you should be able to broadcast gps coordinates to send it to a different location.

Keeping in mind though, its not like you can fire the drone or use any of its on-board camera’s etc.. You can only move it to a new location.

So its not an immediate threat, maybe newer drones should communicate with each other to see if they can “fox hunt” the source of the new signal.. Then you could just capture the fuckers trying to steal your shit.

The only thing I’m wondering about is how Iran managed to land the damn thing. From the publicity photos, the undercarriage was completely covered so it was most likely a belly landing, but even that requires a relatively high degree of control.

The pictures didn’t show the drone’s belly and the wings were obviously borken and re-attached for the pictures. They certainly lured it into a crash-landing, but for the purpose they had (stealing the technology more or less intact) it was good enough.

GPS can tell you your position, track and groundspeed, but not your airspeed. Your position data can be garbage, but it won’t affect your airspeed since that’s measured by an onboard sensor called a pitot tube. Autoflight systems a designed to fly at target airspeeds, since airspeed is all that a wing senses. Spoofing position won’t cause the drone to fall out of the sky.

Track and groundspeed (which GPS can sense) are just the sum of the airspeed and wind aloft vectors.

My guess is that it had an auto-land routine built in for the case of low fuel reserves. All you have to do is spoof the base location signal, and if you are more or less at the same elevation, it should plop down with minimal damage.

Considering how accurate military GPS is supposed to be, I’m surprised that they didn’t notice that the rates drifted. The signal is usually accurate enough that you can put two antennas at either end of the wings and measure the width of the airplane, so why didn’t they notice that their plane was suddenly much larger?

IMU and dead reckoning will drift. That is a rate-limited, predictable error that the GPS should be allowed to correct.

But if anything were to start returning much different data that contradicts all other sensors, then it should be ignored. That includes the GPS.

I would expect military drone designers to be smart enough to know that, and to deal with the possibility of a broken or spoofed GPS.

So you would not be able to instantaneously alter a drone’s course with GPS spoofing. You’d have to slowly alter it, at a rate no more than the expected drift of other sensors. Which still could be used to eventually redirect it to a target, or bring it down. But it would be tricky, because if you exceed that rate at any time, you’d lose control until the drone trusts its GPS again.

@Dax: If the IMU is broken? I think Nardella is right and you don’t know what an IMU is. Because otherwise, you’re suggesting that the gyros, accelerometers, airspeed sensor, and the compass are all broken *simultaneously*.

Not to mention whatever else the military with its large budget can afford to pile on. Robot already brought up terrain recognition, radar, and IR star scope. Other possibilities include sky polarization for orientation during daylight, and a barometer for altitude estimation.

And don’t forget that it’s common to have duplicate sensors and systems as backups whenever practical, should anything fail.

With all that information to compare, if you still can’t imagine how a drone could isolate and ignore a sensor that’s consistently returning data beyond a particular margin of error, you simply lack imagination.

you don’t understand anything about GPS… you don’t transmit coordinates or altitudes or anything like that. you transmit a single message: the current time.

GPS works by having multiple satellites in geosynchronous orbit all sending the same message at the same time. the GPS software on the client then takes all the available “current time” data from all the different receivers (at least 3, preferably 4 or more) and calculates where you must be based on the small differences in time the radio signals took to reach your antenna.

so, you’d have to spoof at least 4 signals at once, and send the data with the right offsets in the time data to make it think you were at some other place. i guess you could consider the combination of those 4 signals as a single signal that includes a location and altitude, but you never really send that data.

GPS spoofing…once my uncle was driving and the GPS-thingy told him to go THROUGH an wall…and this is why I use paper maps, compass and a sextant instead of a modern, talking, colourful and thinking GPS when I’m going to travel…
P.S.: Except for the sextant I’m not joking.

Paper maps that aren’t updated would take you up to that same wall wouldn’t they? The maps the GPS unit was relying on was/is the problem, not the GPS itself. Not sure if such an animal exists, but a talking GPS that use no maps at all is likely to tell you anything if you punch in a location and tell it take me there. Mu old etrex will tell me how to get there from here, but it’s up to me to choose the sensible route as I go, with me and the etrex adjusting to each other as we near the destination.

Not necessarily. My GPS was always up to date and it sometimes wouldn’t be able to get a good fix on my location (or sometimes it did) and would tell me to do all sorts of crazy things that didn’t make any sense.

For instance at an overpass where there never was any ramp (and still isn’t) my tomtom would tell me to take a hard 90 degree right angle (and apparently, jump up 30ft in the air) all while it knew I was going 60 mph (and wouldn’t re-calc until after I’d passed, every time without fail.)

It had up to date maps, but there were still bugs in them. At any rate, other times, because of having a bad location, it would do just as dumb things, heck, one time, while driving along side a body of water, it showed that my car was actually in said body of water — clearly, I must’ve been driving a high-speed amphibious vehicle of some sort.

This could wreck the domestic non-military market for UAV. The UAV manufacturers will be coming down harder on this capability than this capability than anyone. The US government was too quick to dismantle the old school radio-navigation systems IMO. Although the videos of the tower destruction are awesome As far as Iran or any other foreign country goes stay out of their neighborhood.

Do you blindly let the paper maps tell you what to do? (i.e. you just sit there and do nothing?) Why would you blindly do what the GPS tells you to do? GPS isn’t perfect (and I just had a terrible experience with one where it was off by a couple hundred feet, and wouldn’t give me decent directions), but it’s a hell of a lot better than paper maps.

I bought a handheld Garmin unit years ago, and I seem to remember the manual making a mention of the government having the ability to ‘scramble’ the satellite signals at will so as to ‘purposefully reduce the accuracy of the system for reasons of national security’ or something like that. At the time however, I don’t think they had thought this far ahead.

I think the manual was describing something different. For many years unencrypted GPS signals had a deliberate error introduced in order to frustrate non-authorized use. This feature is turned off now but the U.S. government reserves the right to turn it on again at any time.

@cplamb The US government also have the ability to “jam” it for specific areas while still allowing their “authorized” military units to continue using it. It was this ability that finally convinced them it was safe to stop scrambling the general GPS system.

@cplamb You say the US “reserves the right” to turn the error back on. This is not exactly true. While it would be physically possible at the moment to turn it back on, the US has stated that they don’t intend to ever do so, and that the next generation of GPS satellites will not have the capability.

Even if we don’t trust their claims, it’s still very unlikely they’d ever introduce the error again. So many things depend on accurate GPS now that breaking them all would be a huge expense and inconvenience, incredibly unpopular, and actually pretty pointless now that alternative satellite navigation systems exist.

Although this is possible with the older drones (predator) and some of the cheaper domestic style drones (like the copters), the new models that aren’t decades old use a trust version of GPS with encryption and authorization methods, that completely negate this. The Iran story is still BS, as that drone wasn’t hackable with the method they claimed to use. I’m not saying it isn’t hackable AT ALL, just not the way they said it was.

I used to work in the industry… Everyone is telling half the story, because it’s more sensational that way.

I agree with you something is fishy about Iran capturing a drone without shooting it down. I would have expected the remote pilot to notice something didn’t seem right before it was on the ground in the hands of Iran. I would also expect the UAV to be sending back compass, altitude and orientation data from separate sensors from the GPS. So somebody wanted them to have that drone.

From what I have seen all UAV have a remote human either flying or monitoring. I would expect a UAV to have at least the very basic sensors of an aircraft in addition to the GPS. Oh a small explosive in the control bay would be nice to but maybe thats just in my world. So what I have been asked to believe is that using GPS alone Iran brought down a drone in one piece. Sorry I don’t trust the Govt that much to believe that one. But man could you imagine having to explain to your commander that you lost a drone to Iran. That would be a bad day.

Beware of the Industrial Military Complex. I wonder how much the UAV GPS upgrades cost?

The details of how iran did it are simply not known to us, and iran has some clever scientist and engineers and whatnot and are certainly capable of reading the damn internet and figure out basic things you can expect to be in such a drone and if they can fake the GPS they can also jam the remote operator surely.
Perhaps the thing reverts to contacting the operators over unsecured communication when GPS fails and that’s when they injected some new instructions for instance, and that it would be unsecured might seem odd but don’t forget that in the past the afghans were watching the feeds of drones because they forgot to encrypt those too originally, so who knows, maybe that fallback stuff was also old code.
Or perhaps it flew in circles waiting for instructions and when fuel got low auto-landed? Lots of things are possible.

from what i understand from some people that arent bullshitting about it. The Drone had either its guidance system hacked and or shorted or somthing happened to set the drone into return to home mode. At this point the Iranians spoofed the drones GPS into thinking it was home over Beale AFB in California, and it tried to land. When in reality it was in iran over one of their Bases or some path with a runway that was almost exactly the same altitude as the runway the drone was previously set to land at. Thus, creating the nice “whole- under-the-drone-fucked-up-lets-hide-it-and pretend we are covering up some magic technology that Americans didn’t even know they had look.

Thank you. No military aircraft uses the civilian un encyrpted GPS for navigation. Back around Gulf War I not all aircraft got the upgrades so some used hand held civilian GPSs as a stop gap but that is past. The drone that went down with out a doubt did not use civilan GPS and Iran did not bring it down by spoofing. It is really a shame that HAD retold that myth as factual. The drone in Texas was also not military and was using the civilian GPS signal.
The solution is for the next gen GPS system to use a public private key system and give out the public keys to everyone. That should prevent spoofing. Of course one should also make sure that their are more than one key so if compromised the keys can be changed.
As to why the drone crashed? Engine failure? It does happen folks.

While I’m no expert on these things drone, I would have thought drones are designed aerodynamically to be very slippery and have decent lift so that you can have them up for loner. So if as you say you got a engine failure or some kind of catastrophic electronics failure it would be more to have a slower rate of decent than other aircraft.

I don’t think it’s possible to use public key encryption for anti-spoofing. The way GPS works is that you have a pseudo-random sequence initialized by the key (or by a well-known value for the unencrypted signal) which is broadcast by the satellites and cross-correlated at the receiver. The delay of the peak in the cross-correlation gives the delay to the satellite from which the range can be calculated. You need to know the actual sequence in order to do the cross correlation but if you know the sequence you are also able to broadcast the same sequence with your own timing. If you broadcast it ahead of the signal from the satellite, then the receiver will reject the satellite’s signal, interpreting it as a multipath-delayed echo.

Thinking about it. It would not be that difficult to do. If you can spoof GPS data, you can essentially lie to the UAV and land it while it still thinks it’s on the ground. In fact, if your goal is to just bring it down, setting it’s height refrence or whatnot to a negative number would do it.

Reading what I could about it, it is quite easy and I could probably do it for less money, but it would take alot of effort to make the antennas, debug the system, etc.

Still, I could do it for 1/3 the price. lol

As far as using a “trusted” or “encrypted” GPS data stream, we all know that all it would take is someone determined enough and the encryption will be broken.

Now you might say, “It’s the government, their encryption is unbreakable!” Yea, we said the same thing about RSA and Blowfish.. Look what happened to those.

I was actually at Texas for the demonstration and saw it live. The GPS receiver was a “UT Radionavigation Lab Cornell CASES ASTRA Receiver.” I haven’t been able to find much low level information on it, but it is a high end SDR that uses both L1 and L2 GPS signals. The spoofing signal generator was covered and has its source code under lock and key (the FBI checks up regularly on these researchers.)

As far as the demo itself, they used a drone purchased from Adaptive Flight. Since civilians jamming GPS is illegal, they used a long run of flexible coax and a power combiner to pipe the spoofing signals to the helicopter (though apparently the team will be visiting White Sands Missile Range to do an over the air demonstration soon.) They never actually landed the helicopter or had any real control; they had a safety pilot use a remote control that connected directly to the flight control surfaces to land when the helicopter invariably lost control without GPS. In that respect the attack as demonstrated can only crash things, not fly them. Flying an aircraft would be tremendously difficult, probably involving a radar with low latency in a control loop that spans miles instead of meters inside the aircraft.

My understanding of what makes this attack unique is that it predicts the signal the target should be receiving, and only then changes the position by spoofing. The drone had a “GPS Denied Mode” that activates whenever the GPS signal is deemed unreliable. Since the spoofing begins with the correct signal and then varies it, it defeats this protection.

The real thrust of the research is not military, but protecting civilian targets and giving the industry some motivation to improve when UAV’s might fly 747’s for FedEx and deliver food to your door in the next few years.

Hmm. . . the 20+ year old Tomahawk cruise missile uses IMU, terrain recognition, radar, GPS and even a IR star scope for navigation. I would like to think that any mission critical drone would use a similar compliment of navigation aids to find it’s location and heading. I guess the trick it detecting when GPS is leading you drone astray.

No doubt this hack has major implication for comercial applications of GPS and robotics which are interesting to consider, which is what this article seems to focus on. Section 6 “GPS SPOOFING COUNTERMEASURE” seems to mitigate the thread of this hack.

Thinking about this, it’s more important that a missile only explodes at the right place, than for a drone. Crashing drones don’t kill anybody, with a missile you need to be more sure, particularly a Tomahawk, which is a cruise missile and can be fired from half the world away. And which was state-of-the-art at the time, where UAVs are really glorified model planes.

Just Google for GPS jammers. They are illegal, but that does not keep other countries from selling them. If you just want to crash a civilian GPS controlled helicopter UAV, then you can do it for peanuts. That’s why the stuff we used in Gulf War II had countermeasures for this given that Iraq had installed a ton of GPS jammers around military targets.

This is not that new and does not explain what REALLY happened in Iran.

Guys have to remember that becasue the military uses it doesn’t mean its the most advance secure system around. It took years to find out that the Taliban were ease dropping on unencrypted predator video streams.

This is actually not a bad idea. If you used two uav’s, one would be a reciever and one a transmitter this might work. First fly both uavs to the target uav’s position. Then have the one uav fly in the oposite dirrection than you want the target to go. It relays the unmodified GPS signal it’s recieving on a different frequency to the second auv that broadcasts it in the original frequency. The second uav would use deadreconing and other sensors to know where its real position is because the GPS wouldnt work because it would be spoofing itself. To make the target turn right and go lower you would fly the first uav left and go higher. This would fool both unencrypted and encrypted GPS because the signals are legit, they are just being recieved at the wrong location.

The signals are supposed to originate from space, a bit further away than a hypothetical spoofing-drone could fly. And any GPS device has access to half a dozen atomic clocks, that’s sort-of the point. If a device receives one signal that’s wildly out of sync with the others, it will assume that satellite’s broken and ignore it.

What I’m saying is, it wouldn’t work. Wasn’t there that James Bond film with GPS spoofing (Tomorrow Never Dies I think) a few years ago? AIUI you need encryption keys to spoof GPS. There are so many problems with your idea, any of which would stop it working.

> Iran stole a drone
Stole? Stole from where? :) Dron was a war aggression, imagine if this was in any other country, for example in France, England, Germany, Russia, Chine. This is provocation for war and they capture dron, not stole.

True! You don’t accuse people of stealing bullets with their bodies. I think some people are so used to the USA being at war with oil-rich countries that they think that’s how things are *supposed* to be.

… or, follow the drone, by decrypting the video signal as per http://www.networkworld.com/news/2009/121709-drone-intercept-encryption.html .. and thus working out its position, then knock it out of the sky in a more conventional manner, (i.e. disable the engine or some other vital system, by shooting, ramming or whatever), and wait for it to crash land sans power. Saves an awful lot of messing about trying to spoof something that may or may not cause the drone to go in the huff.

That paper goes pretty in-depth into how they do it, I’m not sure where the mystery is. Aside from the fact that some of the equipment is nearly unobtainable, it seems all the needed theory is right there.

There’s always been doubts as to whether the drone really crashed, and to the authenticity of the drone on Iran TV. It’s not as simple as just blocking its communications and spoofing GPS — it uses inertial guidance for this reason.

Don’t these drones have an emergency landing function that’s supposed to kick in when the plane can’t get a GPS signal. IDK about the Predator but aren’t some smaller helicopter UAV’s designed to set down whenever the control/GPS signal is lost? If so you could just get it into your territory & then trick into thinking it’s out of fuel or something.

Why hack the drone? Why not just fly up to it with a plane and piggy back onto it?? Can\’t possibly be that hard, all you need is a big \’clamp-shut\’ rack mount under the plane. Once clmaped in you then take it down nice and low and release it so it bums into the ground before it can correct.

Video exists of drones being shot down by fighters. Once they’ve lobbed their missiles, or dropped expensive monitoring devices, or tossed out whatever giant salami payload seemed useful at the time, they’re just slow moving targets.

In general, all technology is crap, and while quite often the people with the best crap win the coin toss, sometimes they don’t.

In fact, we use most of our endless war strategy to develop and test the latest batch of crap, or to reinvent some old canard for reuse with new and improved contract cash.

All the powers of the world fight everyone else – we’re at cross-purposes with our allies half the time, and half the time they’re selling us out.

Everybody spies on everybody else, and even our strongest allies have spies wandering our halls at night, so to speak. It’s nothing new by any means… the germans monkeyed with our radar and directional signal tech, we monkeyed with theirs, and in truth, none of it had much to do with why the war ended.

It will be the same here – the only way we can win these things is to get the other side to become like us – politically complacent, obsessed with flipping camels for profit, playing videogames and other secular time wasters.

If we can make sure “they” (whoever they are at the moment) get enough to eat, accumulate a little consumer debt and keep the power running long enough that sitting around on the computer and watching TV becomes preferable to playing freedom fighter or engaging in the pursuit of destiny, we win.

I don’t know exactly what we win, but I’m sure that’ll be explained a little later. In the meantime, bread and circuses go a long way to making the world a pretty peaceful place.

It seems like a fair few commenters have a misunderstanding of how GPS works. A few points I have from a two day GPS course I did about 10 years ago.

It’s receive only. I’m not sure if I misunderstood some of the comments, but some seem to be suggesting a two-way communication mechanism.

The GPS satellites broadcast ephemeris data (their location, and orbital data) and the current time. The ephemeris data can be extrapolated to determine the orbital locations in the future. The current time at the satellite is broadcast to the earth (and the receivers on the earth). This signal is delayed, due to the speed of light. The receivers some how use the data from multiple satellites to determine the time at the receiver. Then the delay path length to each satellite is determine, and then the position of the receiver.

General relativity adjustments are required to get the accuracy in the system. Something to do with the satellites moving in a gravitational field.

Correlators are used on the receiver to look for where the satellite signal should appear (using the CDMA chip code, frequency and doppler due to movement).

–Thoughts on jamming/spoofing at distance—
Jamming a GPS signal would be relatively easy. Your power drops by the distance squared from the transmitter. Let’s say your interferer is 10 miles from the UAV. That’s a free space loss of 120dB at 1.5GHz. So you’d need a big amplifier and a lot of gain on a tracking antenna to jam it over this distance.

To spoof, you’d really need to know the inner working of the GPS receiver on the terminal. Let’s say this is doable. Then assuming it doesn’t do any sanity checking on the ephemeris data, you could inject several fake satellite signals from the one transmitter site. You would have to calculate, in real time, the distance from the spoofed-satellites to the UAV and offset this by the distance from your transmitter to the UAV. So you would need to know accurately the distance from your transmitter to the UAV in realtime. As well as tracking the UAV with your directional attenna.

While this is possible I think it’s more likely that a UAV would suffer a mechanical/design fault causing it to crash than someone would be able to spoof the GPS in such a way that it can be landed relatively intact.

Some of the comments mention redundancy in military aircraft, whether in navigation, propulsion, or control systems. But these are UAV, they do not carry a human payload, so it is possible, economically feasible to lighten the UAV by leaving off redundancy, giving it further range, or more sophisticated payloads (video feeds, encrypted control signals or what have you)and rely solely on GPS (and maybe a compass and gyroscope).

I salute anyone that can bring these skynet drones to the ground. F*cking unfair warfare to use these… Two people figthing with sticks and rocks are much more civilized than piloting a drone and killing people from the other side of a big ocean! Terrorists or not – if you’re going to kill someone in war you should be able to look them in their eyes when you do so!

Besides, you don’t get into history books by reading them, and certainly not by learning from other people’s mistakes though the millenia.

We probably have a few thousand years or more before we find the winning combination of genocide and ennui that brings peace to the world. Killing each other to resolve disputes is rather effective on an evolutionary time scale, even though the actual minutes are tedious for us, what with subjugation and ignorance and all.

I’m pretty sure that neither ethics nor morality has any place in war, save for propaganda, HR management and the fevered imaginations of the winning side as they get it all down on paper.

After reading a couple days ago about an Iranian Engineer’s claim that they picked it up via tractor beam in the belly of their UFO, I started wondering if this might be some psychobabble and, incidentally a distorted rumor.

The way I first read this capture was that the Iranians saw the UAV several times visually, the CIA being regular as clockwork + arrogant in feeling that their upper level intelligence network would always and without fail triumph over Iranian ox cart technology + a NASA style denial environment that would not accept a fact as true.

My Theory: they saw it, timed it, sent up an aircraft with a large cargo net and scooped it up, AFTER jamming the GPS signal. A simpler solution while it is simply flying in circles than calling in the Arcturian Battle Troopers.

Since the equipment is relatively simple trying to regulate it is a non solution instead the fix should be within the UAV themselves.

A proper fix would be to have both celestial and inertial navigation and when the GPS signal is far out out spec with the other two sources the UAV then assumes the GPS signal is being spoofed.
A second solution would be to encrypt the military GPS signal.
With it encrypted it would be harder to generate a false signal if you don’t have the key.
I’d go with both solutions to make a repeat of the Iran incident as difficult as possible.

I hate to break it to you arm chair UAV pilots out there but the GPS feed to drones have heavy encryption. Even the simple GPS receivers for ground based satcom have an encryption fill option on the GPS device itself. All that device does is help the satellite figure out where to point and get timing for it’s TDMA modem. If you think military drones are running around with a $99 Garmin GPS to navigate and you can take control with a $50 jammer then you should probably get off the internet because you’ve failed at life. I won’t even get into the drone’s ability to break off autonomous flight at anytime, and the pilot’s ability fly a compass heading back to base.

As for the interception of video feeds from drones…it’s called misdirection. Best way to fool someone is give them what they’re looking for. When even the handheld radio of some random solider pulling guard duty has comsec loaded on it, do you seriously, I mean SERIOUSLY think a drone video feed is just going to get pulled out of the open unencrypted air?

It never fails to amaze me what a bunch of know it all’s will speculate about, while us contractors and soldiers are sitting here in Afghanistan doing it every day in secrecy while laughing at you about it.

It obviously is not very good encryption as Iran was able to crack it and spoof the signal so it needs to be improved.
We’re talking Iran here not Russia or China who are likely old hats at this sort of stuff and laugh their asses off at the US military’s over dependance on drones they already know how to defeat.
They also depend far to heavily on GPS.
I wonder if the encryption used in a DBS receiver is more advanced then what’s being used to guard the military GPS signal.
Again this all could be avoided by having a second source of navigation such as celestial or even land mark based navigation as a backup.

So, how about having the GPS jamming equipment mounted on another UAV? Seems like you could just follow any UAV you wanted around, lock on, and steal control. With UAV’s being as cheap as they are, I would think a Zephyr from http://www.marcusuav.com would be perfect for the job or any real hackers dream…